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1 Introduction 


The Small Aircraft Transportation System (SATS) program aims to provide an efficient 
transportation alternative to commercial air and ground transportation through general avi- 
ation. The overall goals are to increase mobility, reduce door-to-door travel times, and 
provide air transportation to under-served markets at an affordable cost. To accomplish 
these goals, the SATS program is developing concepts of operations and enabling technolo- 
gies. One of the concepts of operation being developed as part of the SATS program is 
entitled “Higher Volume Operations (HVO) at non-tower, non-radar airports during Instru- 
ment Meteorological Conditions (IMC)” . 

Current operations at non-tower, non-radar airports during IMC rely on procedural sep- 
aration based on a method of one-in/one-out. This method results in a significant reduction 
in airport capacity. The SATS HVO concept will enable multiple operations to non-tower, 
non-radar airports during IMC. It is imperative that this concept be developed in a rigorous 
manner to insure that safety is not compromised. This requires that the concept undergo 
an extensive evaluation by both simulation and analytical methods. 

In this paper, we demonstrate how the key safety properties can be established by a 
mathematical verification method based on formal logic and theorem proving. The system 
is represented in a formal mathematical language and the required properties are formulated 
as conjectures. A mathematical proof is constructed to show that these conjectures are 
indeed mathematical theorems and consequently that the modeled system has the required 
properties. 

A preliminary concept of operation was developed prior to the completion of the first 
draft of the official concept of operations. This was done to give us a head start on the 
development of a rigorous mathematical analysis method that can be used to verify the final 
concept of operations in 2004. The models and proofs presented in this paper concern only 
this preliminary concept and not the latest SATS HVO concept documented in the summer 
of 2003. This preliminary concept has enabled us to develop a viable verification method 
and create a significant amount of reusable libraries, theories, and automated strategies that 
will be useful for the verification of the final concept of operation and other systems similar 
to this one. 

The preliminary concept is described in the next section and in more details in [2], Three 
basic elements of the system are modeled using the PVS formal mathematical language: (1) 
the airspace surrounding the airport, called the Self Controlled Area (SC A), (2) a ground 
based automated system called the Airport Management Module (AMM), (3) the aircraft 
trajectories. The safety requirement is formulated as a geometric separation property. From 
the models and the safety requirement, proofs are developed that support the safety claim. 

2 System Description 

The objective of this concept of operation is to provide an automated service which will 
guarantee separation assurance for aircraft operating in the airport airspace. The system 
must be implementable with minimal infrastructure (i.e. low cost) and should be verifiable 
to a high confidence level. The system consists of four primary functional parts: (1) the 
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Self Controlled Area (SCA), (2) the Airport Management Module (AMM), (3) on-board 
navigation tools, and (4) data communication. Only the first three parts of the system are 
modeled in this paper. The data communication is assumed to be available and error free. 
In future verification efforts, the communication part of the system, including errors, may 
be considered. 

The Self Controlled Area (SCA) is a cylinder surrounding the airport facility. The ap- 
proach procedure is based on a GPS “T” approach as described in [1], Figure 1 is a top 
view of the T configuration. Aircraft approaching from the straight-in region are expected 
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Figure 1: Basic T Design for GPS Standard Instrument Approach 

to proceed directly to the Intermediate Fix (IF). Aircraft approaching from the base right 
or base left are expected to proceed directly to Initial Arrival Fix (IAF) right or left, respec- 
tively 1 . Aircraft entering the SCA accept responsibility for separation. That is, air traffic 
control services are not provided inside the SCA. 

The Airport Management Module (AMM) is a centralized automated system which com- 
municates via data link with aircraft around the airport. The AMM will typically reside on 
the airport grounds. The AMM serves as an arbiter and sequencer. It receives requests from 

1 The right and left regions are labeled with respect to the pilots view on final approach. 
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aircraft to enter the SCA and grants or denies access. Grant or denial of access is based on 
a time-separation criteria. When an aircraft requests entry into the SCA, the AMM checks 
that the requesting aircraft will be time separated, at designated points, with all other air- 
craft already given access 2 . To implement the time-separation scheme in a way that does not 
overly constrain the airspace, but achieves a simplified access criteria, the SCA was divided 
into 6 regions. Figure 2 shows the access regions. Aircraft in the same or adjacent regions 


straight-in area 



Figure 2: SCA Regions for AMM Entry Criteria 

must be time separated at the following designated points: 

• The SCA boundary 

• The IAF (Initial Arrival Fix) or Virtual IAF 

• The IF (Intermediate Fix) 

2 To insure time separation at all of these points it is necessary for the AMM to have knowledge of the 
nominal speed profiles of different types of aircraft and their trajectories. This means that the AMM must 
have a database of aircraft types and their associated descent speeds as a function of distance from the 
runway. The details of how the AMM performs these calculations are not included in the model. The 
nominal trajectories are determined by the concept itself and are included in our model. 
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• The FAF (Final Arrival Fix) 

• The RT (Runway Threshold) 

Aircraft in non adjacent regions must be time separated at the following designated 
points: 

• The IF (Intermediate Fix) 

• The FAF (Final Arrival Fix) 

• The RT (Runway Threshold) 

When the AMM grants access to an aircraft, it broadcasts to the aircraft an Estimated Time 
of Arrival (ETA). The ETAs correspond to the following designated points: SCA boundary, 
IAF, IF, FAF, and RT. The ETAs are based on the expected trajectory, the type of the 
aircraft, and the nominal speed profile of the aircraft. It is assumed that suitably-equipped 
SATS aircraft will have on-board navigation tools that generate heading and speed advisories 
(vectoring) to enable the pilot to fly the expected trajectory and meet the ETAs. 

The objective of this concept is to enable a guarantee that all aircraft inside the SCA will 
remain separated as long as the pilots fly in accordance with the instructions given by this 
system. To establish that this guarantee is valid, we must show, for all possible times and 
all allowed aircraft trajectories that geometric separation is maintained. This verification 
is accomplished using a formal mathematical method, which is described in the following 
sections. The guarantee is elaborated as a top level safety property as follows: 

Theorem 1 (Safety_Top) 

AMM_properties?(aci, ac 2 ) A 
tm_in_SCA?(t, aci) A 
tm_in_SCA?(t, ac 2 ) A 
not_in_no_enter_zone?(aci, ac 2 ) 

D 

safely_separated?(ac_loc(aci)(t), ac_loc(ac 2 )(t)) 

This theorem will be explained in detail in the next sections, but informally this theorem 
states that if the AMM protocol properties are satisfied, both aircraft are within the SCA 
airspace, and both of their entry points are not within the no entry zone at the base of the T, 

then the trajectories of both aircraft ac_loc(aci)(t) and ac_loc(ac 2 )(f) are safely separated 3 . 

The predicate safely_separated? expresses the fundamental property that two points in 
space are sufficiently separated: 

safely_separated?(pi,p 2 ) = 

dist(pj,p 2 ) > sep_min V 

(omclose-corner?^!,^) A dist(pj, ifix) + dist(p 2 , ifix) > sep_min) 

3 We will be using the notation ac to represent the initial state record and ac to represent the location of 
the aircraft in the initial state. 
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where pi and p 2 are points in a two-dimensional vector space. The dist function is defined 
as follows: 

dist (p, q) = ^{p x ~ q x ) 2 + (p y ~ q y ) 2 

When two aircraft are on the T and one of them is on a base leg and the other is on 
final approach, linear path separation can be used rather than geometric separation. A more 
detailed description of on_close_corner? will be given in section 3.3. The constant sep_min is 
nominally 3 nautical miles. 


3 Model of Self Controlled Area 

The Self Controlled Area (SCA) is defined as a circle of radius SCA_radius nominally set at 
12 nautical miles, as can be seen in figure 2. 

3.1 Model of the T approach 

The approach to the runway follows a standard T approach. The T is defined by five fixes: 

— ^ —y — ^-y 

Runway Threshold (rt), Final Approach Fix (faf), Intermediate Fix (ifix), Left Initial Arrival 

Fix (iaf_L), and Right Initial Arrival Fix (iaf_R), each of which are points in 2D space, but 

— y 

exact coordinates are not specified, except for the faf which is the origin of the coordinate 

— y 

system (0,0). For all fixes but the faf, minimal constraints are given axiomatic ally, defining 
the relative locations of the fixes: 

iaf_l - y = ifi x y A 

iaf_R x = — iaf_L x A 

iaf-Ry = ifi x y A 

iaf-Lj; + ifix y < SCA_radius 

From this we see, that the T is assumed symmetric, that is the two initial arrival fixes (iaf_L 

and iaf_R) are at equal distances from the intermediate fix (ifix). The last property ensures 
that virtual initial fixes as mentioned below are within the SCA. 

The following additional properties are derived from the type constraints of the fixes: 

— y — y — y 

rt x = 0 A rt y < 0 A rt y > — SCA_radius A 
ifix x = 0 A ifix,, > 0 A ifix,, < SCA_radius A 
iaf_L T > 0 A iaf _L t A SCA_radius A iaf_L„ — if i x^# 


This orients the T in the coordinate system, so that the rt is directly below the faf, and the 
initial arrival fixes (iaf _L and iaf _R) are exactly level with the ifix. 
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The following distances are defined for convenience: 

iaf2if = dist(ifix, iaf_L) 
if2faf = dist (faf , ifix) 

—y “ >■ 

faf2rt = dist (rt, faf) 
d Jaf = iaf2if + if2faf + faf2rt 

The distance dJaf is the distance measured along the T from an initial arrival fix to the 
runway threshold. 

3.2 Division of the SCA 

The airspace is decomposed into disjoint regions, as seen in figure 2: 


{p x < o A Py < ifixy ) V {p x = 0 A Py < rt y ) V (p x < iaf_R x A p y = ifixj,) 
ipx > o A Py < ifixj,) V (p x > iaf_u A p y = ifix y ) 
p y > ifixj, 

iaf-R.x <Px A p x < ifix x A p y = ifix y 

ifix* <Px A p x < iaf_L x A p y = ifix y 

— y — y — y 

Px = faf* A faf„< Py A p y < ifix y 
~ r — > -> 

Px = faf* A rt y< Py A Py < faf y 


region R?(p) 
regionL?(p) 
region 

baselegR ?(p) 
baselegL?(p) 
fi nal_l?(p) 
fi nal_2? (p) 

runway?(p) = = faf* A rt y =p y 

The first three regions divide up the space outside the T based on which initial arrival fix 
would be used for aircraft in that position. Thus an aircraft in region R would fly to the 

iaf_R. Region M is the area with y-coordinates higher than that of ifix, that is the area above 
the T in figure 2, region M is also called the straight-in area. Each of these three regions 
extend into the airspace outside the SCA. The last five regions together make up the T. The 

baselegs ( initial segments in figure 1) are the paths between the initial arrival fixes (iaf_R and 
iaf_L) and the ifix. Then between the ifix and the faf is the first part of the final approach 

(finaLl), and from faf to rt is the second part (final_2). Finally, the runway is given as a 
single point. 

To further facilitate our algorithm, we divide region M into 4 sub-regions: Regions two 
through five: 

region2?(jf) = p y > ifixj, A p x < 0 A p y - ifixj, < -p x 

region3 ?{p) = p y > \f\x y A p x < 0 A p y - W\x y > -p x 

region4?(p) = p y > W\x y A p x > 0 A p y - \f\x y > p x 

region5?(p) = p y > W\x y A p x > 0 A p y - ifix y < p x 
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Each of these regions cover a 45° slice of region M. The dividing lines are assigned as follows: 
The dividing line between regions 2 and 3 belongs to region 2, the dividing line between 
regions 3 and 4 belongs to region 3 and the dividing line between regions 4 and 5 belongs to 
region 5. 

3.3 Predicates On Points 

It is convenient to be able to express whether a point is within a certain group of regions. 
This is easily accomplished by defining some additional predicates as conjunctions of the 
basic regions. 

First we have predicates on_baseleg? and onJinal?, each of which combines two of the 
regions defined above. on_T? then combines these two new predicates. 

on_baseleg?(p) = baselegR?(p) V baselegL?(p) 

on_final?(p) = finaLl? (p) V final_2 ?(p) V runway?(p) 
on_T?(p) = on_baseleg?(p) V on_final?(p) 

Given two points in the SCA, we can determine if they are on different (opposite) baselegs: 

opposite_baselegs?(pi,p 2 ) = (baselegR?(pi) A baselegl_?(p 2 )) V 

(baselegL?^) A baselegR?(p 2 )) 

The minimal separation safety criteria is relaxed a little when both aircraft are on the T 
in that the separation may be along the T. In some cases this is the same as the geometrical 
distance, however in the instance where one aircraft is on a baseleg and the other is on final, 
the distance along the flight path is shorter than the geometrical distance. Thus it is useful 
to be able to distinguish this situation, for which we define a predicate on_close_corner?: 

on_close_corner?(pi,p 2 ) = (on_baseleg?(pi) A on_final?(p 2 )) V 

(on_baseleg?(p 2 ) A on_final?(pi)) 

The timing comparisons for aircraft are dependent on whether the aircraft are in the 
same region, in adjacent regions or in non-adjacent regions. 


same.region?^!,^) 


(region R?(pj) A region R?(p 2 )) 

V 

(regionL?(pi) A regionL?(p 2 )) V 

(region2?(pi) A region2?(p 2 )) 

V 

(region3?(pi) A region3?(p 2 )) V 

(region4?(pi) A region4?(p 2 )) 

V 

(region5?(pi) A region5?(p 2 )) 

adjacent_region?(pi,p 2 ) = 



(region R?(pj) A region2?(p 2 )) 

V 

(region R?(p 2 ) A region2?(p!)) V 

(region L?(pj) A region5?(p 2 )) 

V 

(regionL?(p 2 ) A region5?(pi)) V 

(region2?(pi) A region3?(p 2 )) 

V 

(region2?(p 2 ) A region3?(pi)) V 

(region3?(pi) A region4?(p 2 )) 

V 

(region3?(p 2 ) A region4?(p!)) V 

(region4?(pi) A region5?(p 2 )) 

V 

(region4?(p 2 ) A region5?(pi)) 
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It is worth noting that although regions L and R are adjacent in a geometrical sense, they 

are not defined as adjacent in this formalization, since aircraft in regions R and L fly toward 

— y — y 

two different IAFs (iaf_R and iaf_L). 


3.4 Determining the Correct Arrival Fix 

Based on the position of an aircraft outside the SCA, the appropriate initial arrival fix is 
uniquely determined. If an aircraft is in region R (region L), the initial arrival fix is iaf_R 

(iaf_L), however if the aircraft is in region M, it heads directly to the ifix. Nevertheless it is 
useful to define virtual initial fixes for aircraft entering through region M: 


virJaf (pi) =Pi + ( 1 


iaf-U w.tA ^ 

) (if IX ~Pi) 

dist(p), ifix) 


where p t is an initial point in region M. 

Thus, given a position in the SCA (or indeed in the airspace outside) one can compute 
the fix that the aircraft proceeds toward as follows: 


which_iaf(p) : init jpoint) = IF region R?($) THEN iaf_R 

ELSIF region L?(pj) THEN iafT 

ELSE virJaf (jpl) 

ENDIF 


Although we use the virtual initial arrival fixes for aircraft entering through region M, we 
also often just assume that they go straight to the ifix. However, since the virtual initial 

arrival fixes are on the straight line between the entry point for the aircraft and the ifix, this 
does not change our assumptions on the flight path. 


4 Model of Aircraft Trajectory 

Fundamental to the specification of the SATS system is the delineation of the trajectories 

of aircraft in the SATS airspace. These trajectories are modeled using a function acJoc of 
time: 
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ac_loc(ac)(f) = 

LET t ia f = time_at_iaf(ac), 

wh_fix = which_iaf(ac), 
tent = entry_time(ac) IN 

IF t < t ia f THEN ac +(t — t ent ) * vel_from_spd(ac, wh_fix, ac.gs) 
ELSIF t > time_to_rt(ac) THEN (rt x , rt y ) 

ELSE 

IF t > time_to_if(ac) THEN 

(ifix x , ifix y — dist_gone(ac)(t) — iaf2if) 

ELSIF regionR?(ac) V regionL?(ac) THEN 

IF wh_fix =iaf_R THEN loc_on_legR(dist_gone(ac)(t)) 
ELSE loc_on_legL(dist_gone(ac)(t)) 

ENDIF 

ELSE 

dist_gone(ac)(t) 


wh_fix + 

ENDIF 
ENDIF 


iaf2if 


- (if ix — wh_fix) 


where ac is the initial location of the aircraft when it enters the SATS airspace. This function 
decomposes the calculation of the position of the aircraft based upon time. The key times 
are 

time_at_iaf(ac): time aircraft arrives at the initial approach fix 

= entry _time(ac) + dist(ac, which_iaf(ac))/ac.gs 
time_to_if(ac): time aircraft arrives at the initial fix 

time_to_rt(ac): time aircraft arrives at the runway threshold 

The time that an aircraft enters the SATS airspace is represented by an uninterpreted func- 
tion, entry_time(ac). 

4.1 Before time_at_iaf(ac) 

Prior to time_at_iaf(ac), the aircraft travels at a constant velocity. It was convenient to define 
the aircraft trajectory using a line in 2D space. The traditional way to define a line in 2D 
space is by specifying two distinct points, po and pi, on it. But a line can also be defined by 
a point and a direction vector. Furthermore, we can also add dynamics to our line using an 


9 



initial point pb and a velocity vector v as follows: 


pb + tv 

which designates the location of a moving particle at time t. Thus if ac is the position of 
the aircraft when it enters the SATS airspace, it position up to the IAF can be calculated 
as follows: 

ac +(t — tent) * vel_from_spd(ac, wh_fix, ac.gs) 

where f en t is the entry time and vel_from_spd(ac, wh_fix, ac.gs) is the constant velocity of the 
vehicle. Note that this velocity vector is computed from the initial point, the final point and 
the speed as follows: 


veLfrom_spd(pi,p 2 , s) 


IF Pi = P2 THEN zero 

ELSE ! _ & - pi) 
distfpi, p- 2 ) 

ENDIF 


4.2 Between time_at_iaf(ac) and time_to_if(ac) 

Once the aircraft reaches an IAF or a virtual IAF it begins to decrease its speed in accor- 
dance with a speed profile that is a function of remaining distance to the runway threshold. 
Therefore a function dist_gone(ac)(t) is needed to compute the relative distance. Details are 
provided in section 4.4. The position on the T at time t depends upon which of the two IAFs 

or virtual IAFs the aircraft passed through. The acJoc function first tests to see whether 
the aircraft is currently at an IAF (i.e. entered from region R or region L) or a virtual IAF. 
If it is at an IAF then the position is calculated as follows: 

IF wh_fix = iaf_R THEN loc_on_legR(dist_gone(ac)(f)) 

ELSE loc_on_legL(dist_gone(ac)(f)) 

ENDIF 


where the subfunctions are defined as follows: 


loc_on_legR(7) = IF l < iaf2if THEN (iaf_R x + l, iaf _R y ) 

ELSE (ifix x , ifixj, — (/ — iaf2if )) 

ENDIF 


locjonJegL(Z) = IF l < iaf2if THEN (iaf_L x - l, iaf_R„) 

ELSE (ifix T , ifixj, —{l — iaf2if )) 

ENDIF 
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If the aircraft entered the SCA through region M and has already passed through the virtual 
IAF, the position is calculated as follows: 


whjix + diSt Taf2if C)(t) (i^ - whI>fix) 


4.3 After time_to_if(ac) 

If the time is after time_to_rt(ac) then the function returns the location of the runway thresh- 
old (rt x , rt y ). Otherwise, the aircraft is on the final approach. The calculated location is: 

(ifixj;, ifi x y — dist_gone(ac)(f) — iaf2if) 

4.4 Calculation of dist_gone(ac)(t) 

The speed of the aircraft after it reaches an IAF or a virtual IAF is defined by a speed profile 
determined by its aircraft type. This speed profile is a function of remaining distance to the 
runway threshold. For example, the speed profile for the Cessna 172 is: 

speed_profile_cl72(d r .) = IF d r < 1 THEN 90 + 25 (d r — 1) 

ELSIF d r <5 THEN 90 

ELSIF d r <7 THEN 120 + ( 120 ~ 90 ) ^ _ 7 ) 

ELSE 120 
ENDIF 

Since this function is continuous, we can define a time-to-point function as the integral, with 
respect to distance, of one over the speed profile, plus an absolute time constant A t \ 

tm2p,(ac)(() = l speed prof| | e | ac , dJaf _ 0 <« + A ‘ 

where A t is the time at which the aircraft crosses the IAF, / is defined as the distance traveled 
after crossing the IAF, dJaf is the path distance from the IAF to the runway threshold, 
and the argument ac in the speed profile function supplies the type of aircraft. Therefore, 
tm2pt(ac)(0) = time_at_iaf(acnv). Note that dJaf — / is the remaining distance to the runway 
threshold. 

Since the speed profile is continuous and positive, the function tm2pt is continuous and 
increasing, so we can define an inverse function as follows: 

t = tm2pt(ac)(7) <^> dist_gone(ac)(t) = l 

It is important to keep in mind that dist_gone returns the relative distance traveled from the 
IAF but takes as an argument absolute time. 
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Lemma 1 (derivative_relation) 


derivative_relation : LEMMA (Vi : d tm2pt j 3Cl)(0 > dtm2 P t (^H0 ) v 

Ltt Ltt 

^ d tm2pt(ac 2 )(/) > d tm2pt(aci)(/) ^ 

dl dl 

Proof. This is established for all combinations of aircraft speed profiles by a case split on 
each of the speed profile functions. This is a key property that we rely on the establish 
separation on the T. 

□ 

5 AMM Requirements Model 

In this section, the requirements for the Aircraft Management Module (AMM) are described. 
These requirements basically define an abstract time separation protocol, which do not 
specify any of the details of an implementation. They are intrinsic to the concept itself or 
are a product of the formal proof process (i.e. they were added in order to complete a proof). 
Properties that were needed in order to establish the separation lemmas were collected under 
a predicate named AMM_properties? defined as follows: 

AMM_properties?(aci, ac 2 ) = AMM_PP2?(aci, ac 2 ) A 

time_sep_prop A 

entry_time(ac 2 ) > entry _time(aci) A 
iaf_L_gt_sep_min A 
init_sep_prop(aci, ac 2 ) 

We will discuss each of these conjuncts in the order that they appear. First the predicate 
AMM_PP2? is the abstract representation of the AMM timing protocol and defined as follows: 

AMM_PP2?(aci, ac 2 ) = time_separation_at_rt?(aci, ac 2 ) A 

time_separation_at_faf?(aci, ac 2 ) A 
time_separation_at_if?(aci, ac 2 ) A 
(((same_region?(aci, ac 2 ) 

V adjacent_region?(aci, ac 2 ))) 

IMPLIES 

time_separation_at_iaf?(aci, ac 2 ) A 
time_separation_at_entry?(aci, ac 2 )) 


The first three constructs specify that there is time separation at the runway threshold (rt), 
the final approach fix (faf) , and the initial fix (if). The next implication states that if the 
two aircraft are in the same region or in adjacent regions, then there are two additional 
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timing constraints, namely, that there is time separation at the IAFs and at the point of 
entry. The time_separation predicates are defined as follows: 

time_separation_at_entry?(aci, ac 2 ) = entry_time(ac 2 ) — entry _time(aci) > time_sep 

time_separation_at_iaf?(aci, ac 2 ) = tm2pt(ac 2 )(0) — tm2pt(aci)(0) > time_sep 

time_separation_at_if?(aci, ac 2 ) = tm2pt(ac 2 )(iaf2if) — tm2pt(aci)(iaf2if) > time_sep 

time_separation_at_faf?(aci, ac 2 ) = tm2pt(ac 2 )(iaf2if + if2faf) — 

tm2pt(aci)(iaf2if + if2faf) > time_sep 


time_separation_at_rt?(aci, ac 2 ) = tm2pt(ac 2 )(d_iaf) — tm2pt(aci)(d_iaf) > time_sep 


The AMM implementation will have to perform many calculations involving airport ge- 
ometry, aircraft trajectories and speed profiles, and other external factors such as wind, 
communications delay, and pilot error in order to calculate time delays that will meet these 
requirements. It is important that the refinement of these AMM requirements into exe- 
cutable code be carried out in a rigourous manner and formally verified as well as the overall 
system concept. It is also important that the AMM code be implemented on a fault-tolerant 
computing platform, because the reliability requirements will be very high. This was not 
attempted in this effort, but will necessarily be a part of our future efforts on the evolving 
SATS concept of operation. 

The second conjunct in the predicate AMM_properties? is time_sep_prop which is defined 
as follows: 


time_sep_prop = time_sep * min_speed > sep_min 

This constraint essentially defines time_sep in terms of the the minimum geometric separation 
(sep_min) and the speed of the slowest possible aircraft (min_speed). The third conjunct in 
the predicate AMM_properties? is just a naming convention establishing that the first aircraft 
to enter the SATS airspace is labeled as 1 and the second is labeled 2: 

entry _time(ac 2 ) > entry _time(aci) 

The fourth conjunct in the predicate AMM_properties? is iaf_L_gt_sep_min defined as follows: 

iaf_L_gt_sep_min = iaf_L x > sepjnin 

This is a restriction on size of sep_min compared to the width of the T (or vice versa). Finally, 
the fifth conjunct in the predicate AMM_properties? is init_sep_prop which is defined as: 

init_sep_prop(aci, ac 2 ) = 

same_region?(aci, ac 2 ) D 

— >• > _ > 

Z * min_speed > dist(aci, IAF) — dist (ac 2 , IAF )) + sep_min 
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where Z = entry_time(ac 2 ) — entry _time(aci) and IAF is the common initial approach fix. 
This last conjunct was added to facilitate a proof. It adds an additional restriction to the 
timing protocol. Simulation runs with this additional restriction shows that the performance 
penalty in terms of airport operational capacity is very small. This conjunct requires that 
the AMM determine the distances to the IAF when the two aircraft are in the same region. 

6 Safety Property 

In the introduction, we stated that the top level theorem (1) is: 

AM M_properties? (aci, ac 2 ) A 
tm_in_SCA?(f, aci) A 
tm_in_SCA?(f, ac 2 ) A 
not_in_no_enter_zone?(aci, ac 2 ) 

D 

safely_separated?(ac_loc(aci)(f), ac_loc(ac 2 )(t)) 

AMM_properties?(aci, ac 2 ) was explained in the previous section, tm_in_SCA?(t, ac) is a predi- 
cate use to ensure that the aircraft is inside the SCA, and not_in_no_enter_zone? is a predicate 
which excludes entry near the base of the T. In figure 2 this zone is designated by the phrase 
“Entry Not Permitted in this zone” . In this section we will describe each of the predicates 

tm_in_SCA?, not_in_no_enter_zone? and safely_separated?. 

6.1 Timing Predicates 

The predicate tm_in_SCA? is defined by: 

tm_in_SCA?(f, ac) = tm_bef_T?(f, ac) V tm_on_T?(f, ac) 

and determines if an aircraft is within the SCA at time t. 

The predicates tm_bef_T? and tm_on_T? are defined as follows: 

tm_bef_T?(f, ac) = IF regionM?(ac) THEN t > entry_time(ac) A t < tm2pt(ac)(iaf2if) 

ELSE t > entry _time(ac) A t < tm2pt(ac)(0) 

ENDIF 

tm_on_T?(f, ac) = IF regionM?(ac) THEN t > tm2pt(ac)(iaf2if) A K tm2pt(ac)(d_iaf) 

ELSE t > tm2pt(ac)(0) A t- < tm2pt(ac)(d_iaf) 

ENDIF 

The first predicate, tm_bef_T?(t, ac), determines if at time t the aircraft ac is in the SCA and 

it has not yet acquired the T. Since aircraft entering through region M go straight to the ifix, 
they do not acquire the T until the time given by tm2pt(ac)(iaf2if). Likewise, tm_on_T?(t, ac) 
determines if an aircraft has acquired the T. 
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Some further timing predicates are useful, distinguishing between the different stages of 
flight: 

tm_on_baseleg?(t, ac) = -region M?(ac) A t > tm2pt(ac)(0) A t < tm2pt(ac)(iaf2if) 
tm_on_final?(t, ac) = (t > tm2pt(ac)(iaf2if) A t < tm2pt(ac)(d_iaf)) 

The predicate tm_on_baseleg?(t, ac) determines whether an aircraft that entered through 
regions R or L is on a baseleg at time t. Since an aircraft that enters through region M does 
not travel along the baselegs of the T, they are excluded here. The predicate tm_on_final? 
determines if an aircraft is on final at time t, this is independent of the entry region. 

Figure 3 shows how the various predicates are true for different stages of flight, depending 
on whether the aircraft is entering through regions R or L or through region M. 

• • • • • 

SCA border IAF (R/LMrtual) IF FAF RT 

Entry through Regions R or L: 

tm_bef_T?(ac) tm_on_T?(ac) ^ 

tm_on_baseleg?(ac^ 

Entry through Region M: tm_bef_T?(ac) tm_on_T?(ac) 


Independent of entry region: 


| tm_on_final?(ac) 

tm_in_SCA?(ac) 


Figure 3: Timing predicates compared to stage of flight 


6.2 Excluding Special Cases 

Due to the construction of the protocol, there is a narrow wedge of airspace surrounding the 
border between regions L and R (around x = 0) in which separation is somewhat harder to 
establish. We call this the no enter zone : 

notJn_no_enter_zone?(aci, ac 2 ) = RL_case?(aci, ac 2 ) D 

one_outside_of_sepmin?(aci, ac 2 ) V 
one_outside_of_sepmin?(ac 2 , aci) V 
both_outside_of_sepmin_div2?(aci, ac 2 ) 

It should be noted here that this wedge is really rather small. This also splits regions R and 
L into Ra/Rx and La/Lx with Rx and Lx denoting the right and left no enter zone. 

The predicate RL_case? determines if aci and ac 2 are entering through regions R and L 
with one of the aircraft entering through each region: 

RL_case?(aci, ac 2 ) = (region R?(aci) A region L?(ac 2 )) V 

(region R?(ac 2 ) A region L?(aci)) 
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The predicate one_outside_of_sepmin? is not symmetrical in the two arguments, which is why 
it is applied twice in not_in_no_enter_zone?. The first argument (here aci) must have the 
absolute value of the x value of its entry point greater than or equal to sepjnin: 

one_outside_of_sepmin?(aci, ac 2 ) = (region R?(aci) A regionl_?(ac 2 ) A aci x < — sep_min) 

V (regionL?(aci) A regionR?(ac 2 ) A aci x > sep_min) 

Finally, if both aircraft have the absolute values of the x values of their entry points greater 
than or equal to sep ~ min , the predicate both_outside_of_sepmin_div2? holds: 

both_outside_of_sepmin_div2?(aci, ac 2 ) = (region R?(aci) A regionl_?(ac 2 ) A 

acix < — sep_min/2 A 
ac 2x > sep_min/2) 

V (regionL?(aci) A regionR?(ac 2 ) A 
ac 2x < — sep_min/2 A 
3Cix > sep_min/2) 

Thus, if one of acq or ac 2 is in region R, and the other in region L, then the top level 
theorem only considers those situations where either aircraft has an entry point with \x\ > 
sep_min, or both aircraft have entry points with \x\ > sep ~ mm . 

6.3 Safe Separation 

Our overall aim is to show that for any two aircraft within the SCA, those two aircraft 
maintain the minimum required separation at all times. The predicate safely_separated? 
states exactly that: 

safely_separated?(pi,p 2 ) = dist(pi,p 2 ) > sepjmin V 

(on.close-corner?^!,^) A 

dist(pi, ifix) + dist(p 2 , ifix) > sep_min) 

We see that safely_separated? is expressed in terms of the location of the aircraft given as 

points in 2D space. These are calculated using ac_loc(ac)(t), which is described more fully 
in section 4. In general, we require a simple geometrical separation, that is the distance 
between the two aircraft must be greater than or equal to sep_min nautical miles. However, 
if the two aircraft are already on the T, and the first one is on final approach and the other 
one is on a baseleg, it is enough to have sep_min distance as measured along the T, as is 
discussed in section 2. 

So the main theorem says that if two aircraft are both in the SCA, the AMM_properties 
hold for the two aircraft, and they are not in the no enter zone , then separation as defined 
above is ensured. 
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7 Proof Concepts 

7.1 Status of Verification 


In section 6 we discussed the top-level safety property Theorem 1. In this section we will 
give an overview and status over the proof of this theorem. 

The AMM protocol uses the various entry regions as well as timings to determine if access 
should be granted, and this is reflected in the proof, where we consider pairs of aircraft based 
on their entry regions and/or which stage of flight they are at. For example, the lemma 

Lemma 2 (safety_RR_LL) 

AMM_PP2?(aci, ac 2 ) A time_sep_prop A 
same_region?(aci, ac 2 ) A 
(region R?(aci) V regionl_?(aci)) A 
init_sep_prop(aci, ac 2 ) A 
tm_bef_T?(t, aci) A tm_bef_T?(i, ac 2 ) 

D safely_separated?(ac_loc(aci)(t), ac_loc(ac 2 )(t)) 

express that if two aircraft both enter through region R, with the time separations required by 
the protocol and both fly straight from their entry point to the fix, then spacial separation 
is maintained as long as both aircraft are in region R. Once the first aircraft reaches the 

iaf_R, it acquires the T, and another lemma is used to handle this case. Since the proof is 
symmetrical in the case where both aircraft enter through region L, the lemma safety_RR_LL 
is stated so that it covers both these cases. 

The proof of Theorem 1 takes the form of a large case split. The following tables indicates 
the different cases together with the names of the lemmas covering that case. The tables also 
shows the proof status for each lemma, P indicates that the proof of the lemma is complete, 
U indicates that it is not. 

First, the proof of Theorem 1 contains the the cases listed in Table 1. This shows that 
for the cases regarding regions R and L exclusively the proofs are completed, whereas for 
the cases covering region M and the mixed cases of regions R and L, and region M are not 
yet proven. 

Furthermore, the proof of the lemma safety_both_on_T is based on the case splits in 
Table 2. We see that all the cases where both aircraft are already on the T have complete 
proofs. 

Finally, the proof of lemma Safety_mixed_T is based on the case splits listed in Table 3. 
Here we see that the mixed cases where one aircraft is on the T and the other one is not yet 
on the T have not been proven. 

In the next sections we will discuss in some more detail some of the cases, namely 
safety_RR_LL (section 7.2), safety_both_on_T (section 7.3) and safety_RaLa (section 7.4). In 
section 7.5 we present some observations about one case involving one aircraft on the T and 
the other off of the T. Some minor modifications to the models will be necessary to handle 
this case. 
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Name of lemma 

Case(s) covered 

Status 

safety_RR_LL 

aci and ac 2 are both in region R or both in 
region L 

P 

safety_RlL_LlR 

aci is in region R with x value of entry point less 
than or equal to sep_min and ac 2 is in region L 
- Or symmetric with aci in region L and ac 2 in 
region R 

P 

safety_RLl_LRl 

Similar to safety_RlL_LlR, but with entry point 
of ac 2 restricted instead of aci 

P 

safety_RaLa 

aci is in region R and ac 2 is in region L, both 
with absolute value of x value of entry point 
greater than or equal to sep ~ mm 

P 

safety_M_same_or_adjacent 

aci and ac 2 are in the same or adjacent parts of 
region M 

U 

safety_M_non_adjacent 

aci and ac 2 are both in region M, but in non- 
adjacent parts 

U 

safety_M_RL 

aci is in region M, ac 2 in either region R or 
region L 

U 

safety_RL_M 

aci is in region R or region L, ac 2 in region M 

U 

safety _both_on_T 

aci and ac 2 are both on the T 

P 

Safety _mixed_T 

One aircraft has reached T, the other has not 

u 


Table 1: Cases in the proof of Theorem 1 


Name of lemma 

Case(s) covered 

Status 

base_and_final 

aci is on final and ac 2 is on a baseleg 

P 

on_close_corner 

aci and ac 2 are on a corner, as described in sec- 
tion 3.3 

P 

both_on_T_final 

aci and ac 2 are both on final 

P 

both_on_T_same 

aci and ac 2 are on the same baseleg 

P 

both_on_T_not_same 

aci and ac 2 are on opposite baselegs 

P 


Table 2: Cases in the proof of lemma safety_both_on_T 
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Name of lemma 

Case(s) covered 

Status 

safety_T_M 

aci is on the T, ac 2 is in region M 

U 

safety_M_T 

aci is in region M, ac 2 is on the T 

U 

safety _T_RL 

aci is on the T, ac 2 is in region R or region L 

u 

safety_RL_T 

aci is in region R or region L, ac 2 is on the T 

u 


Table 3: Cases in the proof of lemma Safety _mixed_T 
7.2 Proof of safety_RR_LL 

In this section, we will present the basic idea behind the proof of the case where both aircraft 
are in region R or region L. This is illustrated in figure 4. Since in this case the aircraft have 



Figure 4: Approach Paths for Case RR 


not reached the T, the speeds are constant and the acJoc function simplifies to the motion 
of a particle on a straight line. In fact, it is possible to reason about distances in a triangle 
rather than about points moving in 2D space as illustrated in figure 5. The parameters used 
in the figure are defined as follows: 
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Figure 5: Abstraction To Distances in a Triangle 


t clock time, t — 0 when second aircraft enters SATS airspace 

Z time delay between when first aircraft enters SATS airspace and 

when second aircraft enters. 

sep_min separation minimum. Two aircraft should never get closer than this 
distance (e.g. 3 miles). 

Si constant speed of the first aircraft 

s 2 constant speed of the first aircraft 

d\ starting distance of first aircraft from the IAF (initial approach fix) 

d 2 starting distance of second aircraft from the IAF (initial approach 

fix) 

We switch to a local time t which is set to 0 when the second aircraft enters the airspace. 
Since aircraft 1 enters the SATS airspace if seconds before the second aircraft, the following 
equations define their remaining distances to the IAF. a(t ) is the remaining distance for 
aircraft 1 and b(t ) is the remaining distance for aircraft 2: 

a(t ) = di — Si(Z + t ) 

6(f) = d 2 - s 2 t 

Using the Law Of Cosines, the distance between the two aircraft at time t can be computed 
as follows: 


c 2 (t ) = a 2 (t ) + d 2 (t) — 2 a(t)b(t)coscj) 

where (f> is the angle at the IAF. 

To establish geometric separation, we must show: 
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THEOREM: IF 0 < t < J - Z THEN c(t) > sep_min 

We remember that x 2 > y 2 •£=>• x > y for non-negative x,y, so let’s look at c 2 (f): 

c 2 (f) = a 2 {t) + 6 2 (t) — 2a(t)b(t)cos<j) 

> a 2 it) + 6 2 (f) — 2 a(t)b(t) 

= (a(t)-b(t)) 2 

Thus, if we can establish 

c(t) > \ a(t) — b(t) | > sep_min 


we are done. 

We can simplify the formulas for a(t) and b(t ) by using the following substitutions: 

K = d\ — d-2 — S\Z 
P = S2 ~ Si 


Then 


a(t) — 6(f) | 


\di — si(Z + 1) — (d-2 — S2t)\ 
\di — d2 — S\Z + (s 2 — s i)f)| 
\K + pt\ 


Thus, if we can establish 


\K + pt | > sep_min 

we are done. We can decompose this proof by a simple case analysis: 



Si < s 2 

Si > s 2 

di A d 2 

Case 1 

Case 3 

di > d 2 

Case 1 

Case 4 


We will illustrate the proof of case 3 and case 4. 


7.2.1 Case 3 

Proof. From the case 3 premises, we have: 


(2) 


d\ < d 2 A Si > s 2 A K = d\ — d 2 — S\Z A p = s 2 — s i A 
AMM_PP(oM 2 ,Si,s 2 ,Z) 


The premise AMM_PP is defined as follows 


AMM_PP(di, d 2 , si, s 2 , Z) = Z > Z_min(d 1 , d 2 , s l5 s 2 ) A 

d 2 — s 2 (di/si — Z) > sep_min 
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It follows trivially from the top-level premise AM M_properties for this situation. The following 
lemma holds: 


same_region?(aci, ac 2 ) A (regionR?(aci) V regionL?(aci)) A 
AMM_properties?(aci, ac 2 ) 

IMPLIES 

AMM_PP(dist(aci, whichJaf(aci)), 
dist (ac 2 , which Jaf (ac 2 )), 

aci .gs, ac 2 .gs, entry _time(ac 2 ) — entry_time(aci)) 

where aci .gs, ac 2 .gs are the ground speeds of aircrafts 1 and 2 respectively. 

We will prove lemma (2) in two steps: 

\K\ > sep_min (3) 


and Z_min simplihes to: 


K + pt | > | K 


Z_min(di, d 2 , Si, s 2 ) = IF d\ > d 2 A S\ > s 2 THEN 

(sep_min + (di - d 2 ))/s 1 

ELSE 

sepjnin/s! 

ENDIF 


= sep_min/si 


( 4 ) 


First we need to establish step 1: 

\K\ > sep_min 

Since Z_min(di, d 2 , Si, s 2 ) = sep_min/si and Z >= Z_min(di, d 2 , Si, s 2 ) we obtain: 

S\Z > sep_min 

From the assumptions we see that K < 0, so 

\K\ — — K — d- 2 — di + S\Z 

> s\Z 

> sep_min 
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Now all we have to do is establish step 2: 

\K + pt\ > \I<\ 

But from the case 3 premises: we have p < 0 and hence pt < 0. Thus 

| K + pt\ = —K — pt, 

> -I< 

= \ K \ 

and we are done. 

□ 

7.2.2 Case 4 

Proof. From the case 4 premises, we have: 

d\> d 2 A Si > s 2 A K = di — d 2 — S\Z A p = s 2 — S\ A 
AMM_PP(d 1 ,d 2 ,s 1 ,s 2 ,^) 

First we will establish that 


\K + pt\ > \K\ (5) 

To see this we note that the absolute value function achieves its minimum at zero, thus 
\K + pt\ is a minimum when 1 1 = —I\/p\. For values of t greater than this we have the 
relationship t-i < t 2 D \K + pt-i\ < \K + pt- 2 \. Thus, from —K/p < 0 < t, we obtain 
\K\ < | K + pt J, the desired result. Now expanding AMM_PP(di, d 2 , s l5 s 2 , Z) we get 

Z > (di — d 2 + sep_min)/si 

after cross- multiplying we simplify and obtain 0 > — S\Z + di — d 2 + sep_min. Using the 
definition of K we get —K > sep_min and hence \K\ > sep_min. Combining this result with 
(5) hnishes the proof. 

□ 

7.3 Proof of both_on_T 

In this section, we present the basic idea of the proof of the cases where both aircraft are 
currently on the T: 

Lemma 3 (safety_both_on_T) 

time_sep_prop A AMM_PP2?(ac 1 , ac 2 ) A 

tm_on_T(i, aci) A tm_on_T(t, ac 2 ) 

D 

safely_separated? (ac Joc(aci) (t), ac Joc(ac 2 ) (t)) 
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Proof. The proof of this lemma involves 4 cases: 

1. Both aircraft on same leg of the T 

2. Aircraft are on opposite legs of the T 

3. One aircraft is on final and the other is on a leg 

4. Both aircraft are on final. 


We will illustrate the proof of the first case: 

both_on_T_same : LEMMA LET p[ = ac_loc(aci)(t), 

p 2 — ac_loc(ac 2 )(t) IN 
same_baseleg?(pi,p 2 ) A 
AMM_props?(aci, ac 2 ) A 
tm_on_baseleg?(i, aci) A tm_on_baseleg?(t, ac 2 ) 
IMPLIES safely_separated?(pl, p 2 ) 

To establish the conclusion, it suffices to show that 

dist(pi,p 2 ) > sep_min 

Since both aircraft are on the same leg, we have 

dist(pi,p 2 ) = dist_gone(aci)(f) — dist_gone(ac 2 )(t) (6) 

(To see this for the case where both aircraft are on baselegR, note that pi = ac_loc(aci)(t) 

simplifies to loc_on_legR(dist_gone(aci)(t)) and p 2 = ac_loc(ac 2 )(t) simplifies to 
loc_on_legR(dist_gone(ac 2 )(t)). Using the definition of loc_on_legR, we have 

Pi x = dist_gone(aci)(t) + iaf_R iX 
Piy = iaffiRj, 

p 2x = dist_gone(ac 2 )(f) + iaf_R x 
p 2y = iaf _R y 

from which (6) is obtained.) 

By definition of dist_gone we have 

t = tm2pt(aci)(/i) dist_gone(aci)(f) = A 

t = tm2pt(ac 2 )(/ 2 ) dist_gone(ac 2 )(t) = l 2 

Using lemma TD_safety_iaf (7), we have 

h — l 2 = dist_gone(aci)(t) — dist_gone(ac 2 )(f) > sep_min 

From this both_on_T_same follows. 

□ 
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Lemma 4 (TD_safe_sep_iaf) 


timeJs_after_iaf?(aci, ac 2 , t) A 
time_sep * min_speed > sep_min A 
time_separation_at_iaf?(aci, ac 2 ) A 
time_separation_at_rt?(aci, ac 2 ) A 
t = tm2pt(aci)(/i) A t = tm2pt(ac 2 )(Z 2 ) 

IMPLIES li — l 2 > sep_min (7) 


Proof. From TD_tm_sep_everywhere 

V/ : tm2pt(ac 2 )(/) > tm2pt(aci)(/) + time_sep 
In particular this is true for l 2 : 

tm2pt(ac 2 )(/ 2 ) > tm2pt(aci)(/ 2 ) + time_sep 
Since tm2pt(ac 2 )(/ 2 ) = tm2pt(aci)(/i) this becomes 

tm2pt(aci)(7i) — tm2pt(aci)(/ 2 ) > time_sep 
From definition of tm2pt (1), we get 

d tm2pt(ac)(/) 1 


(8) 


(9) 


dl speed_profile(ac, d Jaf — l) 

and so d/dl tm2pt(ac)(/) > 0. Hence tm2pt(/) is an increasing function and so h > l 2 . From 
(9) we also obtain 


1 


> 


1 


min_speed speed_profile(ac, dJaf — l ) 


= d/dl tm2pt(ac)(/) 


and thus 


yielding 


f — — -dl > f tm2pt(ac )(l)dl 

J l2 min_speed J h 


> tm2pt(ac)(/i) — tm2pt(ac)(/ 2 ) 


min_speed min_speed 
for all ac. Applying this to aci and using (8), we get: 

£i/min_speed — £ 2 /min_speed > time_sep 
Multiplying both sides by min_speed yields 

h ~ k > time_sep * min_speed 


But from premise 2, we have 

time_sep * min_speed > sep_min 

and we are done. 

□ 
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Lemma 5 (TD_tm_sep_everywhere) 


time_separation_at_iaf?(aci, ac 2 ) A time_separation_at_rt?(aci, ac 2 ) 
D (V7 : tm2pt(ac 2 )(7) > tm2pt(aci)(7) + time_sep) 


Proof. From lemma (1), we obtain 

v/ d tm2pt(aci)(/) > d tm2pt(ac 2 )(/) QR 

dl ~ dl 

d tm2pt(ac 2 )(/) d tm2pt(aci)(7) 

Vt : > 

dl ~ dl 

Case 1: (V7 : d/dl tm2pt(aci)(/) > d/dl tm2pt(ac 2 )(/)): 

Thus 



tm2pt(aci)(/) dl > 


/•d_iaf 

Jl 


tm2pt(ac 2 )(/) dl 


and hence 

tm2pt(aci)(d_iaf) — tm2pt(aci)(/) > tm2pt(ac 2 )(d_iaf) — tm2pt(ac 2 )(/) 
Rearranging: 

tm2pt(ac 2 )(7) — tm2pt(aci)(^) > tm2pt(ac 2 )(d_iaf) — tm2pt(aci)(d_iaf) 
From definition of time_separation_at_rt?(aci, ac 2 ) 

tm2pt(ac 2 )(d_iaf) — tm2pt(aci)(d_iaf) > time_sep 

and thus we are done. 

Case 2: (V/ : d/dl tm2pt(ac 2 )(7) > d/dl tm2pt(aci)(/)): 

Thus 


and hence 


f 


tm2pt(ac 2 )(7) dl > 



tm2pt(aci)(/) dl 


tm2pt(ac 2 )(7) — tm2pt(ac 2 )(0) > tm2pt(aci)(/) — tm2pt(aci)(0) 

Rearranging 

tm2pt(ac 2 )(/) — tm2pt(aci)(/) > tm2pt(ac 2 )(0) — tm2pt(aci)(0) 
From definition of time_separation_at_iaf?(aci, ac 2 ) 

tm2pt(ac 2 )(0) — tm2pt(aci)(0) > time_sep 


( 10 ) 


( 11 ) 


and thus we are done. 

□ 
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7.4 Proof of safety _Ra La 

In this section, we will present the basic idea behind the proof of the case where one of the 
aircraft is in region R and the other is in region L. This is illustrated in figure 6. Since in this 
case the aircraft have not reached the T, the speeds are constant and the ac function simplifies 
to the motion of a particle on a straight line. In fact, it is possible to reason about distances 
in a quadrilateral rather than about points moving in 2D space. Furthermore, because the 
aircraft are restricted (by protocol) from entering the rectangular regions labelled RX and 
LX in figure 6 the proof is quite elementary. These regions have width sep_min/2 so the 



Figure 6: Restricted Regions 


shortest distance between any possible trajectory is greater than sep_min. However, the 
proof has been formalized and checked in PVS. The key abstract lemma was: 

c x < 0 A d x > 0 A 
a x < 0 A b x > 0 A 

c x < — sep_min A d x > sep_min A 
a x < — sep_min/2 A b x > sep_min/2 A 

c y > a y A 

dy > by A 

on_segment?(a, c, Pi) A 
on_segment?(6, d,p 2 ) 

D d\st(pi 1 p 2 ) > sep_min 
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The premises with the predicate on_segment? constrain locations p[ and to be somewhere 
on the line segments from a to b and b to c respectively. 

Interestingly, we originally expected to be able to prove this theorem without the removal 
of the restricted zones. The following informal argument was conceived as illustrated in figure 
7. Since the aircraft are originally separated at their entrance times and the paths either 



Figure 7: Some Erroneous Thinking 


diverge or converge but never come closer together than the length of one of the legs of the 
T, they must be adequately separated no matter what the relative speeds are. Unfortunately 
this obviously correct “theorem” is false! What the informal reasoning overlooked is the fact 
that the original separation guarantee applies when the first aircraft enters and the second 
aircraft is still outside of the SATS airspace. Once the first aircraft enters, the regional 
controller no longer has responsibility for separation. What we did not realize was that 
there were divergent trajectories where the dynamic point of closest approach occurs after 
the first aircraft enters the SATS airspace. This is illustrated in figure 8. The points labeled 
A are the locations of the aircraft when aircraft 1 first enters. Here they are adequately 
but minimally separated. However when the second aircraft is faster it travels further in 
its trajectory than the first aircraft over a time interval. Therefore shortly after aircraft 1 
enters, when they are at the positions labelled B they are closer together than when they 
were at points A. Therefore separation is lost. Many vain attempts were made to prove the 
separation property in the PVS theorem prover (e.g. using vector formulas for the point of 
closest approach) before it was realized that the “lemma” was not true. 

7.5 Proof of safety_M_T 

While in the process of writing up this paper, we decided to attempt the proof of another case. 
Since we had not verified any cases where one aircraft was on the T and the other aircraft 
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Figure 8: Some Erroneous Thinking 


was still approaching the T, we decided to attempt a proof of safety_M_T, where one aircraft 
is in region 4 and another one is on final approach. While attempting to prove this case, it 
was discovered that this lemma was not true. In this case there is no time synchronization 
enforced by the AMM on the aircraft at their virtual or real IAFs. Unfortunately time 
synchronization at the IF (initial fix) and RT (runway threshold) is not sufficient to guarantee 
that they are geometrically separated at all times. There are two possible resolutions: 

1. Require time synchronization at the IAFs. 

2. Generalize the notion of safely_separated to allow path separation in these cases as in 
the close_corner situation. 

If the second solution is selected, the definition of safely_separated will have to changed from 

safely_separated?(pi,p 2 ) = 

dist(pi,p 2 ) > sep_min V 

(on_close_corner?(pi,p 2 ) A dist (pi , ifix) + dist(p 2 , ifix) > sep_min) 


to something like 

safely_separated?(pi,p 2 ) = 

dist(pi,p 2 ) > sep_min V 

(one_final_one_withinJaf?(pi,p 2 ) A dist(pi, ifix) + dist(p 2 , ifix) > sep_min) 
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The first resolution is a change to the operational concept itself, whereas the second is a 
change to the safety property itself. The first resolution would impose some additional 
timing constraints that would have to be enforced by the AMM and consequently could 
reduce the performance. We suspect that the impact would be fairly small, but this will 
have to be assessed via simulation. Alternatively, the relaxation of the safety property does 
not appear to be unreasonable in that it is directly analogous to what is already done when 
both aircraft are on the T. In fact in this situation the geometric separation is greater than 
when both aircraft are on the T. 


8 Conclusion 

In this paper we have presented a formal model of a concept for sequencing aircraft into 
a SATS airport without a tower, radar, or airport controller. The concept relies upon a 
timing protocol implemented in software named the Aircraft Management Module (AMM). 
The concept has been formally modeled using both continuous and discrete mathematics and 
consists of three main pieces: (1) Model of the SATS airspace using 2-dimensional vectors, (2) 
model of aircraft trajectories as functions of time that are determined by aircraft speed, which 
is dependent upon the remaining distance to the runway threshold, and (3) a requirements 
model of the AMM, which specifies the high-level timing properties enforced by the AMM 
software. 

A mathematical theorem has been formulated which states that the AMM timing protocol 
will maintain adequate separation between all aircraft assuming that all aircraft follow the 
instructions given by the AMM and the “rules of the road” associated with the concept. The 
proof of this theorem was decomposed into ten cases of which five have been proved. The 
preliminary concept modeled in this paper was developed 6 months prior to the completion 
of the SATS draft 1 operational concept so that formal verification techniques and libraries 
suitable for this problem domain could be developed. Hopefully, much of the this will be 
reused when the final SATS operational concept is modeled and analyzed formally. In order 
to move on to the final SATS operational concept, the verification was not fully completed. 
We believe that the completion of 50% of the subcases is enough to demonstrate the feasibility 
of this verification approach even though everything we set out to accomplish in 6 months 
was not finished. However, because of the incompleteness of the proofs we do not know 
whether the preliminary concept itself is safe. We have run many simulations of the concept 
but we do not believe that simulation alone provides a rational basis for assuring safety. We 
do believe that with sufficient effort (probably 2 to 4 man months) the remaining proofs 
could be completed with at most fairly minor modifications to the AMM protocols or stated 
safety properties. 
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A Vectors Library 

The NASA PVS library contains three distinct vectors libraries 

1. 2-dimensional vectors 

2. 3-dimensional vectors 

3. N-dimensional vectors 

One might wonder why there should be 2D and 3D versions, when an N-dimensional version 
is available. The answer is that there are some notational conveniences for doing this. For 
example, in the 2D version we represent a vector as 

Vector: TYPE = [# x, y: real #] 

whereas in the N-dimensional library a vector is 

Index : TYPE = below (n) 

Vector : TYPE = [Index -> real] 

where n is a formal parameter (posnat) to the theory. Thus, in the two dimensional case, the 
x-component of a vector v is v‘x whereas in the N-dimensional library it is v(0). Also certain 
operations are greatly simplified in the 2D case. The dot product is 

*(u,v): real = u f x*v f x+u‘y*v‘y; % dot product 

in the 2-dimensional case, whereas in the N-dimensional case it is 

*(u,v): real = sigma (0 ,n-l , LAMBDA i:u(i)*v(i)) ; °/„ Dot Product 

where sigma is a summation operator imported from the reals library. 

In this appendix we will present the 2-dimensional version because that is what is used 
in the SATS work. However, the differences in the libraries are kept to a minimum. All 
operators, definitions, and lemmas are given identical names to simplify the use of these 
libraries. 

A.l 2D Vectors 

Two names are available for a vector type are provided in the theory vectors2D. 

Vector : TYPE = [# x, y: real #] 

Vect2 : TYPE = Vector 

The vector operators are defined as follows: 
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a : VAR real 

u,v,w : VAR Vector 

-(v) : Vector = (-v'x, -v‘y) ; 

+(u,v): Vector = (u‘x + v‘x, u‘y + v‘y); 

-(u,v): Vector = (u‘x - v‘x, u'y - v‘y); 

*(u,v): real = u f x*v f x+u‘y*v‘y; °/„ dot product 

*(a,v): Vector = (a * v‘x, a * v‘y) ; 

A conversion is provided so that one can create 2D vectors as follows 
(xv,yv) 

rather than having to write 

(# x := xv, y : = yv #) 

There are several functions and predicates provided such as 

sqv(v) : nnreal = v*v 

norm(v) : nnreal = sqrt(sqv(v)) 

zero_vector? (v) : MACRO bool = (norm(v) = 0 AMD 

v‘x = 0 AMD v‘y = 0) 

nz_vector? (v) : MACRO bool = (norm(v) /= 0 AMD 

(v‘x /= 0 OR v‘y /= 0)) 

normalized? (v) : MACRO bool = (norm(v) = 1) 

zero : Zero_vector = (0,0) ; 

~(nzv) : Normalized = (l/norm(nzv) ) *nzv 

parallel? (nzu,nzv) : bool = ~ (nzu) *~ (nzv) = 1 OR 

~ (nzu) *~ (nzv) = -1 

orthogonal? (u, v) : bool = u * v = 0 ; 

There are several dozen lemmas available for manipulating vectors such as 

add_assoc : LEMMA u+(v+w) = (u+v)+w 

add_move_right : LEMMA u + w = v IFF u = v - w 
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add_cancel_lef t : LEMMA 
neg_distr_sub : LEMMA 
dot_eq_args_ge : LEMMA 
dot_distr_add_right : LEMMA 
dot_scal_left : LEMMA 
dot_scal_canon : LEMMA 
sqv_scal : LEMMA 
sqrt_sqv_norm : LEMMA 
norm_eq_0 : LEMMA 
cauchy_schwartz : LEMMA 


u + v = u + w IMPLIES v = w 
-(v - u) = u - v 
u*u >= 0 

(v+w)*u = v*u + w*u 
(a*u)*v = a* (u*v) 
(a*u)*(b*v) = (a*b)*(u*v) 
sqv(a*v) = sq(a)*sqv(v) 
sqrt(sqv(v)) = norm(v) 
norm(v) = 0 IFF v = zero 
sq(u*v) <= sqv(u)*sqv(v) 


A. 2 Positions in 2D space 

The theory positions2D enhances the vector space with constructs for specifying distances. 
One frequently wants to use a vector to designate a location in 2D space. To make this more 
explicit, the following type definition was added 

Pos2D : TYPE = Vect2 

though it is really just a synonym. Next it is useful to have a metric or distance function: 
sq_dist (pi ,p2 : Pos2D) : unreal = sq(pl'x - p2‘x) + sq(pl'y - p2‘y) 


dist(pl,p2: Pos2D) : unreal = sqrt (sq_dist (pi ,p2) ) 
Many lemmas are available, including 


dist_refl : 
dist_sym : 
dist_eq_0 : 
dist_norm : 
sq_dist_le : 

dist_ge_x : 
dist_ge_y : 
dist_triangle : 


LEMMA dist(p,p) = 0 

LEMMA dist(pl,p2) = dist(p2,pl) 

LEMMA dist (pi ,p2) = 0 IFF pi = p2 
LEMMA dist(u,v) = norm(u-v) 

LEMMA sq_dist (vl , v2) <= sq_dist (pi ,p2) IMPLIES 
dist(vl,v2) <= dist(pl,p2) 

LEMMA dist(pl,p2) >= abs(pl‘x - p2‘x) 

LEMMA dist(pl,p2) >= abs(pl‘y - p2‘y) 

LEMMA sq(dist (p2 ,p0) ) = sq(dist (pi ,p0) ) + sq(dist (pi ,p2) ) 

- 2*(pl-p0)*(pl-p2) 


The following predicates are available: 


on_circle?(p,r) : bool = dist(p,zero) = r 


on_line? (pi ,p2 ,p) : bool = 

EXISTS (x : real) : p = pi + x * (p2 - pi) 


on_segment?(pl ,p2 ,p) : bool = 

EXISTS (x : { y: unreal | y <= 1}) : p = pi + x * (p2 - pi) 
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A. 3 2D Lines 


The theory lines2D provides convenient formalizations for lines in 2-dimensional space. The 

traditional way to defines a line L is by specifying two distinct points, p 0 and pi, on it. A 

line L can also be defined by a point and a direction. Let p 0 be a point on the line L and 
— * 

let dv be a nonzero vector specifying the direction of the line. This is equivalent to the two 
point definition, since we could just put dv = (pj — p 0 ). We can also add dynamics to our 
line. If we assume a particle is moving in a line with a constant velocity, then we can define 
this linear motion using the location of the point at time zero, a velocity vector and a time 
parameter t: 

— * 

Po + t * vel 

which provides the location of the particle at time t. 

In the library, lines are defined as a tuple: 


% Basic I Dynamic 

% 1 

Line : TYPE = [# p: Vect2, % point on the linel position at time 0 

v: Nz_vect2 #] °/„ direction vector | velocity vector 

Line2D: TYPE = Line 

This enables one to represent a line using a point and a direction vector 

p(L) + v(L) or L'p + L‘v 

or using a point and a velocity vector 

p(L) + t v(L) or L'p + t * L'v 

The following alternate held names are provided 

pO (L: Line) : MACRO Vect2 = p(L) °/„ alternate field names 
vel(L: Line) : MACRO Vect2 = v(L) 

For example 

L‘pO + t * L'vel 

This can be appreviated using the following macro: 

loc(L: Line)(tt: real): MACRO Vect2 = p(L) + tt*v(L) 

Two functions are provided to calculate the velocity vector for different situations: 

veLfrom_tm: generates velocity vector from two points and transport time 

vel_from_spd: generates velocity vector from two points and speed 

These are defined as follows 
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vel_from_tm(pl,p2,t) : { v | p2 = pi + t*v } = l/t*(p2 - pi) 

vel_f rom_spd(pl ,p2 , s) : Vect2 = IF pi = p2 then zero 

ELSE s/dist(pl,p2)*(p2-pl) 

END IF 

Other useful lemmas include 

vel_f rom_tm_rew : LEMMA vel_from_tm(pl ,p2 ,t) = l/t*(p2 - pi) 
vel_f rom_tm_eq_args : LEMMA vel_from_tm(p,p,t) = zero 
vel_f rom_spd_lem : LEMMA pi /= p2 IMPLIES 

vel_from_spd(pl ,p2 ,ps) = vel_from_tm(pl ,p2 ,dist (pi ,p2) /ps) 
vel_f rom_spd_norm : LEMMA pi /= p2 IMPLIES 

vel_from_spd(pl ,p2 , s) = s*normalize (p2-pl) 

Some predicates on lines are also provided: 

L,L1 ,L2 : VAR Line 

on_line?(p,L) : bool = EXISTS (x : real) : p = p(L) + x * v(L) 
on_segment?(p,L) : bool = 

EXISTS (x : { y: nnreal | y <= 1}) : p = p(L) + x * v(L) 
orthogonal? (LI ,L2) : bool = ~ (v(Ll) ) *~ (v(L2) ) = 0 

parallel? (LI , L2) : bool = “ (v(Ll) ) *~ (v(L2) ) = 1 OR ~ (v(Ll) ) *~ (v(L2) ) = -1 

A. 4 Intersecting Lines 

The theory intersections2D provides some efficient methods for determining whether two lines 
intersect or not and the point of intersection if they do so. The theory is built around a 
function named cross: 

cross (p, q)=p x *q y -q x * p y 
The following simple property hold for cross: 

cross (p,q) = —cross (q,p) 

There are three cases for two lines LO and LI: 
intersecting: cross(L0.y, Ll„) ^ 0 

parallel: cross(L0,,, Ll v ) = 0 AND cross(A, L0„) ^ 0 

same line: cross(L0„, Ll v ) = 0 AND cross(A, L0„) = 0 

where A = Ll p — L0 P . Correspondingly, the library provides the following predicates: 
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intersect? (LO , LI) : bool = cross(LO‘v,Ll‘v) /= 0 

same_line? (LO ,L1) : bool = LET DELTA = Ll‘p - L0‘p IN 

cross (LO f v, LI f v) = 0 AND cross (DELTA, LO f v) = 0 

Given two lines that intersect the function intersect_pt returns the intersection point: 

intersect _pt (LO :Line2D, LI : Line2D | cross (LO f v, LI f v) /= 0): Pos2D = 

LET DELTA = Ll‘p - L0‘p, 

ss = cross(DELTA,Ll‘v)/cross(LO f v,Ll‘v) IN 
L0‘p + ss*L0 ‘ v 

Several key lemmas are provided: 

intersection_lem : LEMMA cross(L0‘v,Ll‘v) /= 0 IMPLIES 

LET DELTA = Ll‘p - L0‘p, 

ss = cross(DELTA,Ll‘v)/cross(LO‘v,Ll‘v) , 
tt = cross(DELTA,LO‘v)/cross(LO‘v,Ll‘v) 

IN 

LO f p + ss*L0‘v = LI 'p + tt*Ll ‘ v 

pt_intersect : LEMMA on_line?(p,L0) AND on_line? (p,Ll) AND 

NOT same_line? (LO ,L1) IMPLIES 
intersect? (LO ,L1) 

intersect _pt_unique : LEMMA intersect? (LO , LI) IMPLIES 

pnot /= intersect_pt (LO ,L1) AND 
on_line? (pnot , LO) 

IMPLIES 

NOT on_line? (pnot ,L1) 

same_line_lem : LEMMA pO /= pi AND 

( on_line? (pO ,L0) AND on_line?(pO ,L1) AND 
on_line? (pi ,L0) AND on_line?(pl ,L1) ) 
IMPLIES same_line? (LO ,L1) 

not_same_line : LEMMA on_line?(p,L0) AND 

NOT on_line?(p,Ll) 

IMPLIES 

NOT same_line? (LO ,L1) 

intersect_pt_lem : LEMMA NOT same_line? (LO ,L1) AND 

on_line?(pnot ,L0) AND 
on_line? (pnot , LI) 

IMPLIES 

intersect_pt (LO ,L1) = pnot 
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A. 5 Closest Approach 

The theory closest_approach_2D provides some tools to calculate the point of closest approach 
(CPA) between two points that are dynamically moving in a straight line. This is an im- 
portant computation for collision detection. For example, this can be used to calculate the 
time and distance of two aircaft (represented as line vectors) when they are at their closest 
point. 

Suppose we have two time-parametric linear equations 


p{t) = po + tu q(t ) = q 0 + tv 


Minimum separation occurs at: 

^ _ Wo (u-v) 

Apa i -*|9 

| u — v\ z 

where w 0 = po ~ Qo- The library provides a function time_closest: 

time_closest (pO , qO ,u,v) : real = 

IF norm (u-v) = 0 THEN °/„ parallel, eq speed 
0 

ELSE 

- ( (pO-qO) * (u-v) ) /sq (norm (u-v) ) 

ENDIF 

The following lemma gives an alternate way to calculate the function. 

time_closest_lem: LEMMA norm(u-v) /= 0 AND 

a = (u-v) * (u-v) AND 
b = 2* (pO-qO) * (u-v) 

IMPLIES 

time_closest (pO , qO ,u,v) = -b/(2*a) 

The lemma time_cpa establishes that this time is indeed the point where the distance is at a 
minimum. 

time_cpa: LEMMA t_cpa = time_closest (pO , qO ,u,v) 

IMPLIES 

is_minimum? (t_cpa, (LAMBDA t: sq_dist (pO+t*u, qO+t*v) ) ) 


See 


http : //geometryalgorithms . com/ Archive/ algorithm. 0 106 /algorithm. 0106 .htm 

for a very nice discussion. 
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